Sandboxing & Security

Suitcase is designed as a local-first agent. It can help organize career evidence, draft artifacts, reflect on conversations, and propose changes, but it is not supposed to act externally without review.

Local-First Boundary

By default, Suitcase runs on your machine:

The FastAPI app serves the web UI locally.
The SQLite database is stored under app/data/.
Agent memory and generated artifacts live under suitcase_world/.
LLM credentials are stored server-side and are not returned to the browser after save.

Cloud LLMs are optional. For local inference, the recommended free path is Relay with llama.cpp.

Write Confinement

Suitcase agent writes are confined to suitcase_world/.

The path guard is intended to block:

Absolute paths outside the world root
Parent directory traversal with ..
Symlink escapes
Generated artifacts landing outside the project world directory

This keeps reflections, patch requests, reports, project scaffolds, and career artifacts in a reviewable workspace.

Proposal-First Actions

Suitcase should propose sensitive changes instead of applying them directly.

It cannot intentionally:

Submit job applications without approval
Contact people without permission
Publish content without review
Modify source code or configuration directly as an agent action
Write agent artifacts outside suitcase_world/

The normal pattern is: Suitcase drafts or proposes, you review, then you decide what to apply.

Secrets

Secrets should stay server-side.

LLM API keys are saved in .env or server-side runtime secret storage.
The setup API reports whether a key exists, not the key value.
Discord and GitHub tokens should not be copied into world files, chat messages, reports, or patch requests.
Logs and diagnostics should avoid printing secret values.

If you accidentally paste a token into a world file or chat message, rotate that token.

Model Choice Matters

The LLM is part of the security boundary because it must follow Suitcase's system prompt, world rules, and tool instructions.

Verified local baseline:

Model	Runtime
Gemma 4 26B MoE (A4B active) IQ4_XS quantized	Relay with `llama.cpp`

Smaller local models can be useful for experimentation, but models below 8B parameters are not recommended for security-sensitive conversations. They are more likely to miss instructions, mishandle prompt injection, or ignore boundary language.

Discord Bot Safety

Discord is optional. When enabled:

Configure the bot token server-side.
Prefer targeting your user ID or a specific channel.
Treat Discord messages as untrusted user input.
Do not paste secrets into Discord conversations with the bot.

Cloudflare Access

If your LLM endpoint is behind Cloudflare Access, configure the Access headers in the setup wizard's optional headers field. Those headers are attached to LLM requests server-side.

Do not place Cloudflare client secrets in docs, world files, or shared logs.

What To Review

Review these before trusting a new setup:

suitcase_world/WORLD.md for immutable world rules and safety boundaries
suitcase_world/SOUL.md for voice and trust principles
suitcase_world/SELF.md for mutable operating style
.env for local configuration and secrets
The admin console safety/status cards after setup

For the broader runtime design, see Architecture and World & Self Model.

Sandboxing & Security ​

Local-First Boundary ​

Write Confinement ​

Proposal-First Actions ​

Secrets ​

Model Choice Matters ​

Discord Bot Safety ​

Cloudflare Access ​

What To Review ​